{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2580", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-20T22:27:53.445Z", "datePublished": "2025-04-25T05:25:06.373Z", "dateUpdated": "2026-04-08T16:40:57.362Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:57.362Z"}, "affected": [{"vendor": "bitpressadmin", "product": "Bit Form \u2013 Custom Contact Form, Multi Step, Conversational Form & Payment Form builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.18.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Contact Form by Bit Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.18.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "title": "Contact Form by Bit Form <= 2.18.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f3b5d85-a8b0-43ac-b593-a61e20b9a4ca?source=cve"}, {"url": "https://wordpress.org/plugins/bit-form/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3271396/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Avraham Shemesh"}], "timeline": [{"time": "2025-04-24T16:58:42.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-25T19:01:01.675717Z", "id": "CVE-2025-2580", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T19:01:14.207Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2580", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-25T19:01:01.675717Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T19:01:09.678Z"}}], "cna": {"title": "Contact Form by Bit Form <= 2.18.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Avraham Shemesh"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bitpressadmin", "product": "Bit Form \u2013 Custom Contact Form, Multi Step, Conversational Form & Payment Form builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.18.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-24T16:58:42.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f3b5d85-a8b0-43ac-b593-a61e20b9a4ca?source=cve"}, {"url": "https://wordpress.org/plugins/bit-form/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3271396/"}], "descriptions": [{"lang": "en", "value": "The Contact Form by Bit Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.18.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:57.362Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2580", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:40:57.362Z", "dateReserved": "2025-03-20T22:27:53.445Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-25T05:25:06.373Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Contact Form by Bit Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.18.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}, {"lang": "es", "value": "El complemento Contact Form de Bit Form para WordPress es vulnerable a Cross-Site Scripting Almacenado al subir archivos SVG en todas las versiones hasta la 2.18.3 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de autor o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario al archivo SVG."}], "id": "CVE-2025-2580", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-25T06:15:45.457", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3271396/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/bit-form/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f3b5d85-a8b0-43ac-b593-a61e20b9a4ca?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:28:51.029924+00:00", "value": {"mitigation_remediation": ["Upgrade the Bit Form plugin to version 2.18.4 or later, which removes the SVG upload vulnerability.", "If an upgrade is not immediately possible, disable the SVG upload feature or restrict uploads to safe file types.", "Implement input validation that rejects SVG files or sanitizes them to strip executable content, and enforce a Content Security Policy that blocks inline scripts from SVG resources."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Bit Form \u2013 Custom Contact Form, Multi Step, Conversational Form & Payment Form builder plugin installed in versions 2.18.3 or earlier. Any site that permits SVG uploads through this plugin is susceptible.", "description_and_impact": "The Bit Form plugin for WordPress contains a stored cross\u2011site scripting flaw that arises when users upload SVG files. The plugin does not sufficiently sanitize the file content or escape output, allowing an authenticated user with Author or higher privileges to embed malicious scripts. When a victim subsequently views the SVG, the script runs in the victim\u2019s browser, enabling session hijacking, credential theft, or defacement.", "risk_and_exploitability": "The vulnerability is rated with a CVSS score of 4.9, indicating moderate severity, and has an EPSS score of <1\u202f%, meaning the likelihood of exploitation is low at present. It is not listed in the CISA KEV catalog. Exploitation requires authenticated access with Author\u2011level permissions, and the attack path involves uploading a crafted SVG file via the plugin\u2019s file\u2011upload interface."}}}}, "created": "2026-04-22T17:30:22.638293+00:00", "updated": "2026-04-22T17:30:22.638305+00:00", "vendors": []}